b'OFFICE OF INSPECTOR GENERAL\n\nAUDIT OF THE MILLENNIUM\nCHALLENGE CORPORATION\xe2\x80\x99S\nFISCAL YEAR 2014\nCOMPLIANCE WITH THE\nFEDERAL INFORMATION\nSECURITY MANAGEMENT ACT\nOF 2002\nAUDIT REPORT NO. A-MCC-14-008-P\nSEPTEMBER 12, 2014\n\n\n\n\nWASHINGTON, DC\n\x0cThis is a summary of our report on the Audit of the Millennium Challenge Corporation\xe2\x80\x99s Fiscal\nYear 2014 Compliance With the Federal Information Security Management Act of 2002 (Report\nNo. A-MCC-14-008-P). The Federal Information Security Management Act of 2002 (FISMA)\nrequires agencies to develop, document, and implement an agency-wide information security\nprogram to protect their information and information systems, including those provided or\nmanaged by another agency, contractor, or other source. The act also requires agencies to\nhave an annual assessment of their information systems.\n\nThe Office of Inspector General (OIG) contracted with the independent certified public\naccounting firm of CliftonLarsonAllen LLP to conduct the audit. Clifton was required to conduct\nthe audit in accordance with U.S. Government auditing standards. The objective was to\ndetermine whether the Millennium Challenge Corporation (MCC) implemented selected\nminimum security controls for selected information systems in support of FISMA.\n\nTo answer the audit objective, Clifton assessed whether MCC implemented selected\nmanagement, technical, and operational controls outlined in National Institute of Standards and\nTechnology Special Publication 800-53, Recommended Security Controls for Federal\nInformation Systems and Organizations, Revision 3. * Clifton performed audit fieldwork at MCC\xe2\x80\x99s\nheadquarters in Washington, D.C., from March 12 through June 27, 2014.\n\nThe audit concluded that MCC implemented 104 of 116 selected security controls for selected\ninformation systems in support of FISMA. For example, MCC complied with requirements by\ndoing the following:\n\n\xe2\x80\xa2   Categorized its information systems and the information processed, stored, or transmitted in\n    accordance with federal guidelines and designated a senior-level official to review and\n    approve the security categorizations.\n\n\xe2\x80\xa2   Implemented an effective incident handling and response program.\n\n\xe2\x80\xa2   Maintained an adequate and effective specialized training program for its employees\n    requiring role-based training.\n\n\xe2\x80\xa2   Implemented an effective identification and authentication program.\n\n\xe2\x80\xa2   Established appropriate segregation of duties in MCCNet, a general support system through\n    which all MCC systems interact and communicate.\n\nAlthough MCC generally had policies for its information security program, Clifton found that\nMCC\xe2\x80\x99s implementation of those policies was not fully effective to preserve the confidentiality,\nintegrity, and availability of the Agency\xe2\x80\x99s information and information systems, potentially\nexposing them to unauthorized access, use, disclosure, disruption, modification, and\ndestruction. The audit identified areas in the information security program that MCC could\nimprove. Accordingly, OIG made seven recommendations to help MCC strengthen its\ninformation security program. After reviewing Clifton\xe2\x80\x99s evaluation of management comments\nand the documentation provided by MCC, we acknowledge management decisions on all\nrecommendations and final action on Recommendation 7.\n*\n National Institute of Standards and Technology Special Publication 800-53, Security and Privacy\nControls for Federal Information Systems and Organizations, Revision 4, took effect during the audit.\nBecause it did not significantly change the findings, Clifton used Revision 4.\n\n                                                                                                   1\n\x0cU.S. Agency for International Development\n       Office of Inspector General\n      1300 Pennsylvania Avenue, NW\n          Washington, DC 20523\n            Tel.: 202-712-1150\n            Fax: 202-216-3047\n           http://oig. usaid.gov\n\x0c'